Why wildcard is considered as insecured?


#1

Sorry to not follow the template but it’s a recurrent error between any web server and I guess it’s more a more conceptual quesiton:

why when I put example.com in place of www.example.com, it’s considered by chrome and firefox as insecure even if they recognize the cert as valid?

It’s the same certificate and it’s the same configuration for both. Is there a configuraiton option for the domain or maybe as a general concept, the domain is always considered as insecured?


#2

A wildcard only covers subdomains - so for example a certificate for *.example.com covers www.example.com and blog.example.com and anythingelse.example.com but it does not cover example.com itself, nor does it cover deeper levels of subdomains such as one.two.example.com

You can however get a certificate covering both the wildcard and the base domain - you just have to request both. For example with certbot you would use

certbot -d example.com -d "*.example.com" <other options...>


#3

well that’s what I’ve done.
-d “*.example.com” -d example.com
and as I stated, the cert is considered as valid. But maybe I’m wrong or I have another problem.

May someone show me what I should have in the new google chrome 67 for example for a cert who have several domains and subdomains valid for it? for the moment what it gives me it’s issued to *.example.com , but maybe it’s normal…


#4

Maybe you can tell us your actual domain, then we can tell you the actual answer. Right now we’re just guessing.


#5

If your certificate is valid for example.com then browsers shouldn’t complain when it’s used on https://example.com. If they do, maybe it’s not installed correctly?

It’s normal for the “common name” or CN of the certificate to just be one of the names it’s valid for. The real list of valid names is in the “subjectAltName” extension.


#6

Yeah why not after all.
vigilian-consulting.com and the cert should be valid for vigilian-consulting.be too but also for sub domain of both.


#7

image
image
No content, but working both with and without www.

image
image
Same with .be.


#8

That cert looks fine to me too, on both domains. What exact errors are you seeing in Firefox and Chrome?


#9

Then I have juges problems with my clients ^^ great


#10

If you are talking about e.g.

https://plex.vigilian-consulting.com
https://devboubou.vigilian-consulting.com

then the problem is that they are separate virtual hosts in your web server. You’d need to configure them to use the same certificate.


#11

I’m going to look at that tomorrow. I need some time off I think. Thanks again and sorry for that


#12

No those ones are okey actually. It was really for the entry level which gave me headaches so I’m gonna see tomorrow in a rested state


#13

Si apparently there is a cache problem about certificate. Is there a special cache for certificate or something alike ? Or is it the general cache and I should delete it all ?


#14

Normally just press Ctrl with F5 (depend on browsers)

Just look for refresh webpage and clear cache…

Thank you


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.